---
title: Common OIDC provider configurations
---

This page provides guides for configuring Weave GitOps with the most common OIDC providers.

## Google

Google's identity provider does not support the groups scope which Weave GitOps requests by default. That's why in
this example the `customScopes` field is set to only request the `openid` and `email` scopes.

1. Obtain the client ID and secret by following the [official guide](https://developers.google.com/identity/openid-connect/openid-connect)
   from Google.
1. Configure Weave GitOps:

   ```yaml
   apiVersion: v1
   kind: Secret
   metadata:
       name: oidc-auth
       namespace: WEAVE_GITOPS_NAMESPACE
   stringData:
       clientID: CLIENT_ID_FROM_STEP_1
       clientSecret: CLIENT_SECRET_FROM_STEP_1
       issuerURL: https://accounts.google.com
       redirectURL: BASE_WEAVE_GITOPS_URL/oauth2/callback
       customScopes: openid,email
   ```

## Azure AD

1. Obtain the client ID and secret by following the [official guide](https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app)
   from Microsoft.
1. [optional] Configure group claims by following this [official guide](https://learn.microsoft.com/en-us/security/zero-trust/develop/configure-tokens-group-claims-app-roles).
1. Configure Weave GitOps:

   ```yaml
   apiVersion: v1
   kind: Secret
   metadata:
       name: oidc-auth
       namespace: WEAVE_GITOPS_NAMESPACE
   stringData:
       clientID: CLIENT_ID_FROM_STEP_1
       clientSecret: CLIENT_SECRET_FROM_STEP_1
       issuerURL: https://login.microsoftonline.com/TENANT_ID/v2.0
       redirectURL: BASE_WEAVE_GITOPS_URL/oauth2/callback
       customScopes: openid
       claimUsername: sub
   ```

## Keycloak

Keycloak is highly customizable so the steps to obtain client ID and secret will vary depending on your setup. That's why
there is a [dedicated guide on setting up Keycloak and Weave GitOps to work together](./configuring-oidc-with-keycloak.mdx).
